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DETAILED ACTION 

The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. The previous office action(s) is/are incorporated by 
reference in its/their entirety. The examiner assumes that the applicant agrees with any 
well-known prior art statements or rejections made by the examiner in the previous 
office action(s) that were not argued. Any objection or rejections not repeated below for 
record are withdrawn due to applicant's amendments and/or arguments. 

Claims 1,4, 5, 13-15, 20, 22, 29, 30, and 33 were amended. Claims 1-33 are 
pending. 

Information Disclosure Statement 

The IDS submitted by the applicant on 5/26/2005 have been considered. 

Response to Amendment 
Applicant's amendments have been considered. The amendment raises new 
issues and changes the scope of the claims. See new rejections below. 

Response to Arguments 
Applicant's arguments with respect to claim 1-33 were considered and were not 
persuasive and further are moot in view of the new ground(s) of rejection presented 
below. 

Claim Objections 

Claims 13 and 14 are objected to because of the following informalities: Claims 
13 and 14 have now been amended to recite "data items" instead of merely "item" as 
they were originally. The basis for the ordering algorithms in claims 13 and 14 as 
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originally recited can be found in the specification on pages 9-10. It is unclear how the 
amendment of "item" to "data item" distinguishes from the claims as they were originally 
recited. As the algorithms in the specification does not recite "data items", the examiner 
assumes that "data item" is synonymous with "item" and that the scope of the claims 
have not changed though the wordings may be slightly different and that the prior office 
action's rejection of the algorithms recited in claims 13 and 14 are still valid since 
applicant did not argue those rejections. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claims 1-4, 6-7, 10-11, 21-22, 25-27, and 29-32 are rejected under 35 
U.S.C. 102(e) as being anticipated by Belani et al (US 6,772,350). 
Claim 1: 

Belani discloses a computer-implemented data security system that facilitates 
securing a data item, comprising: 

1. A data store that includes at least one hierarchical data structure that comprises 
a plurality of data items (col 3, lines 39-43; col 4, lines 55-57; and col 6, lines 50- 
61). 
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2. A security component that applies at least one security policy to each of the 
plurality of data items within a defined region in the data store (col 2, lines 60-63). 

The examiner has interpreted "data store" to include anything which is capable of 
storing data, i.e. a database, memory, hard drive, server, network, data structure, folder, 
ect. Belani discloses that the resources in his invention are hierarchical and/or have a 
hierarchical relationship (col 3, lines 39-43) and that a resource can be databases, files, 
ect. or operational resources such as devices or processes (col 4, lines 55-57). The 
examiner notes that files and databases are also types of data structures and as such, 
Belani discloses hierarchical data structures. 

The data items are inherently located in a defined region of the data store. For 
example if a data store is a hard drive or server and a data item is a file or folder, the file 
or folder is located on specific sectors of the hard drive. Other broader interpretations 
for the term "defined region" also apply, i.e. a folder can be considered to define a 
region as all the files in the folder share that folder's security policy by default unless 
overridden with another security policy. A folder is located in a data store as well as 
being a data store itself. 
Claim 2: 

Belani further discloses the hierarchical data structure is at least one of a tree 
structure and a containment hierarchy, i.e. resource hierarchy (Fig 5 and col 8, lines 15- 
26). 

Claim 3: 
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Belani further discloses the containment hierarchy is modeled as a Directed 
Acyclic Graph (DAG) (col 8, lines 15-26; Fig 5 and Fig 6). 
Claim 4: 

Belani further inherently discloses the security policy is mapped to one or more 
defined regions that are associated with a data store (col 6, lines 50-61 and col 9, lines 
51-59). 
Claim 6: 

Belani further discloses the security policy is at least one of inherited by an item 
(col 6, lines 50-61). The limitation of the security policy is at least one of explicitly 
mapped to an item is inherent to Belani's invention because at least one item must have 
a security policy explicitly mapped to the item. If this were not the case, then there 
would not be security policy for an item further down the hierarchy to inherit. 
Claim 7: 

Belani further discloses the security component includes an Access Control List 
having one or more Access Control Entries (col 6, lines 63-col 7, line 4). 
Claim 10: 

Belani further discloses the security component specifies a set of principals that 
are granted or denied access to perform operations on an item (col 7, lines 1-4). 
Claim 11: 

Belani further discloses the security component includes at least one of 
discretionary access control list, a system access control list, and a security identifier 
(col 5, lines 8-12 and col 6, lines 63-66). 
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Claim 21: 

Belani inherently discloses a computer readable medium having computer 
readable instructions stored thereon for implementing the security component of claim 1 
as Belani's system is disclosed as being used with a computer system (col 1, lines 10- 
13). 

Claim 22: 

Belani discloses a computer-implemented method to facilitate data item security, 
comprising: 

1 . Defining at least one security policy for a data store that includes at least one 
hierarchal data structure containing a plurality of data items, i.e. resources (col 3, 
lines 39-43; col 4, lines 55-57; col 6, lines 50-61; col 8, lines 15-26). A domain is 
part of a network, which can be considered a data store. 

2. Defining at least one security region for the data store including the at least one 
hierarchical data structure (col 8, lines 15-26 and col 9, lines 25-35 and 52-59). 

3. Applying the security policy to the security region associated with the data store 
including the at least one hierarchical data structure (col 8, lines 15-26). 

Security region can read on may things disclosed by Belani, including resources, 
groups, domains, and users. 
Claim 25: 

Belani further discloses processing security policies for at least one of a tree 
structure and a containment hierarchy (Fig 5; col 6, lines 50-62; and col 8, lines 15-26). 
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Claim 26: 

Belani further discloses mapping security policy to a security region from a 
remote location from a database (col 2, lines 59-64 and 59-61). 
Claim 27: 

Belani further discloses the security policy is associated with an Access Control 
List having one or more Access Control Entries (col 6, lines 50-55). 
Claim 29: 

Belani discloses computer-implemented system that facilitates database security 
processing, comprising: 

1. Means for defining a security policy (col 8, lines 15-26). 

2. Means for determining a security region for the security policy (col 8, lines 15-26 
and col 9, lines 25-35 and 52-59). 

3. Means for applying the security policy to a data store containing at least one of 
the tree structures and a containment hierarchy in accordance with the security 
region (col 8, lines 15-26). 

Claim 30: 

Belani discloses a computer readable medium having a data structure stored 
thereon, comprising: 

1 . A first data field related to a security region associated with a data store 
containing at least one hierarchical data structure (col 6, lines 63-66). 

2. A second data field that relates to a security policy (col 6, lines 50-62). 
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A third data field that links the security policy to the security region must 
inherently exist in Belani's invention or there would be no way to associate the security 
region with a security policy. 
Claim 31: 

Belani further discloses a field for an access mask specifying at least one of 
object-specific access rights, standard access rights, and generic access rights (col 7, 
lines 42-48 and Fig 4). 
Claim 32: 

Belani inherently discloses a security field for similarly protected security regions 
(col 6, lines 50-62). This security field must inherently exist or similarly protected 
security regions would not have similar security policies. The examiner believes that 
the second data field disclosed in claim 30 reads on this limitation. 

Claim Rejections - 35 USC § 103 

Claims 5, 12-17, 23-24, and 28 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Belani et al (US 6,772,350) in view of Dennis et al (US 6,466,932). 
Claim 5: 

Belani further discloses the security policy is mapped from within the data store 
(col 6, lines 50-61). Belani does not explicitly disclose the security policy is mapped 
from outside the data store. 

However, Dennis discloses the security policy is mapped from outside the data 
store, i.e. an administrator defines the policy explicitly (col 7, lines 15-21). It would have 
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been obvious to one of ordinary skill in the art at the time the applicant's invention was 
made to incorporate Dennis's teachings with Belani's according to the limitation recited 
in claim 5. One of ordinary skills would have been motivated to do so as Dennis's 
teachings allow for a way for an administrator to handle any conflicting policies and to 
manually set group security policies (col 7, lines 7-21). 
Claim 12: 

Belani does not explicitly disclose an ordering component that arranges one or 
more Access Control Entries (ACE) in an Access Control List (ACL) to determine a 
security policy that is enforced for an item. However, Dennis discloses this limitation 
(col 7, lines 7-11 and col 8, lines 26-31). 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made in light of Dennis's teachings to further modify the 
system disclosed by Belani according to the limitations recited in claim 12. One of 
ordinary skill would have been motivated to do so as Dennis teaches that it would allow 
for a way to handle conflicting policies (col 7, lines 7-11). 
Claim 13: 

Belani and Dennis do not explicitly disclose the ordering algorithm as recited in 
claim 13. However, Belani discloses inherited ACL's on a data item, i.e. resource node 
(col 8, lines 63-66). Further, Dennis discloses ranking the security policies in an access 
list (col 8, lines 26-31) which reads on the algorithm as recited in claim 13. 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made to have incorporated Dennis's teachings into the 
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combination system of Belani and Dennis according to the limitations recited in claim 

13. One of ordinary skill would have been motivated to do so for the same reasons 
given in claim 12. 

Claim 14: 

Belani and Dennis do not explicitly disclose the ordering algorithm as recited in 
claim 14. However, Belani discloses inherited ACL's on a data item (col 8, lines 63-66). 
Further, Dennis discloses ranking the security policies in an access list (col 8, lines 26- 
31). This also reads on the limitation recited in claim 14. 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made to have incorporated Dennis's teachings into the 
combination system of Belani and Dennis according to the limitations recited in claim 

14. One of ordinary skill would have been motivated to do so for the same reasons 
given in claim 12. 

Claim 15: 

Belani and Dennis do not explicitly disclose further comprising a component that 
evaluates access rights for a given principal to a given data item. However, Belani 
discloses that access to a data item or resource is restricted by users and the users are 
limited to certain types of access (col 6, line 63-col 7, line 4). Therefore, there must 
exist a component in Belani's system that evaluates access rights for a given principal 
to a given item. 
Claim 16: 
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Belani does not disclose the security component further comprises an effective 
access control list that is obtained by processing lists inherited by an item and adding 
inheritable access control entries in an explicit access control list. However, Dennis 
discloses the security policy of an item can be inherited from previous lists and an 
administrator explicitly defining additional security policies for the item. 

In light of this teaching by Dennis, it would have been obvious to one of ordinary 
skill in the art at the time the applicant's invention as made to further modify the 
combination system of Belani and Dennis according to the limitation recited in claim 16. 
One of ordinary skill would have been motivated to do so for the same reasons given in 
claim 5. 
Claim 17: 

Belani further discloses the security component further comprises an access 
mask specifying at least one of object-specific access rights, standard access rights, 
and generic access rights (col 7, lines 42-48 and Fig 4). 
Claim 23: 

Belani discloses automatically supporting at least one inherited security policy 
(col 8, lines 56-66). Belani does not explicitly disclose automatically supporting at least 
one explicit security policy. However, Dennis discloses automatically supporting at least 
one explicit security policy (col 7, lines 15-21). 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made to further modify Belani's method according to the 
limitation recited in claim 23 in light of Dennis's teachings. One of ordinary skill would 
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have been motivated to incorporate Dennis's teachings for the same reason given in 
claim 5. 
Claim 24: 

Belani does not explicitly disclose the method further comprising automatically 
ordering security policies. However, Dennis discloses this limitation (col 8, lines 26-31). 
It would have been obvious to one of ordinary skill in light of this teaching to further 
modify Belani's method according the limitation recited in claim 24. One of ordinary skill 
would have been motivate to do so for the same reason given in claim 12. 
Claim 28: 

Belani does not explicitly disclose automatically arranging one or more Access 
Control Entries in the Access Control List to determine a security policy that is enforced 
for an item. However, Dennis discloses this limitation (col 8, lines 26-31). 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made in light of Dennis's teachings to further modify Belani's 
method according to the limitation recited in claim 28. One of ordinary skill would have 
been motivated to do so for the same reasons given in claim 12. 

Claim 8 is rejected under 35 U.S.C. 103(a) as being unpatentable over Belani et 
al (US 6,772,350) in view of applicant's admittance of prior art. 
Claim 8: 
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Belani discloses an Access Control list associated with a containment hierarchy 
(Fig 5; col 6, lines 63-col 7, line 4; and col 8, lines 15-26). Belani does not explicitly 
disclose the Access Control List can be associated with a holding relationship of a 
containment hierarchy. 

However, the applicant disclosed on in the specification that it was known in the 
art at the time the applicant's invention was made that an Access Control can be 
associated with every file or directory in a hierarchy (p2, lines 2-7). The examiner 
asserts that a file located in a directory constitutes a holding relationship as the directory 
holds the file. 

It would have been obvious to one of ordinary skill in the art to modify Belani's 
system according to the limitation recited in claim 8. One of ordinary skill would have 
done so because the applicant admitted that it was known in the art that doing so would 
provide support for specifying a default ACL for newly created in items in a directory 
(p2, lines 4-7). 

The examiner notes that applicant argues that one of ordinary skill in the art 
would not interpret the above citation from applicant's specification as teaching the 
Access Control List to be associated with a holding relationship of a containment 
hierarchy. Applicant argues that the disclosure refers to a security model wherein ACL 
can be associated with every file OR directory in a hierarchy. The examiner respectfully 
does not see how that argument overcomes the above rejection. The examiner had 
stated that a file located in a directory constitutes a holding relationship as the directory 
holds the file. Applicant did not argue this point Further, as applicant stated, the 
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teaching refers to a security model wherein the ACL can be associated with every file or 
directory. As it is associated with a directory, it is associated with a holding 
relationship. 



Claims 9 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Belani et al (US 6,772,350) in view of applicant's admittance of prior art and further in 
view of Dennis et al (US 6,466,932). 
Claim 9: 

Belani does not explicitly disclose a plurality of Access Control Lists (i.e. group 
policy objects) to facilitate security for the containment of hierarchy. However, Dennis 
discloses a plurality of Access Control Lists to facilitate security for the containment 
hierarchy (col 2, lines 3-7). 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made to further modify Belani's system according to the 
limitation recited in claim 9. One of ordinary skill would have done so because Dennis 
discloses that it would have allowed for each ACL (policy objects) to be associated with 
different hierarchically-organized directory objects/regions (col 2, lines 3-7). 
Claim 20: 

Belani do not explicitly disclose a component that does at least one of create a 
new item in a container, add an explicit ACL to an item, add a holding link to an item, 
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delete a holding link from an item, delete an explicit ACL from an item and modify an 
ACL associated with an item. 

However, the use of folders/directories in operating systems was known in the art 
at the time the applicant's invention was made. This was admitted by the applicant in 
the specification (p1, lines 9-20). A directory reads on a container and it was known 
that one could create a new item or file in a directory. When you create or place an item 
in a directory, you are using what is known as a "holding link" as the folder holds the 
item. When an item is deleted or moved, the holding link the item had with the folder is 
deleted. The applicant also admitted that it was known in the art that a file has an ACL 
associated with it (p2, paragraph 2). It was also known that when the file is moved from 
one directory to another, the ACL for the file can be updated— i.e. modified or deleted 
and replaced with a new ACL (p2, lines 15-17). Further, Dennis discloses adding an 
explicit ACL to an item (col 7, lines 15-21). 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made to further modify Belani's system according to the 
limitations recited in claim 20. One of ordinary skill would have been motivated to 
incorporate the previous known art because it would be a starting point for 
improvements via the teachings as disclosed by Belani. One of ordinary skill would be 
motivated to incorporate Dennis's teachings of an explicit ACL for an item according to 
the limitations recited in claim 20 for the same reasons given in claim 5. 
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Claims 18-19 and 33 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Belani et al (US 6,772,350) in view of Sandler et al (US 2003/0217033). 
Claim 18: 

Belani further discloses similarly protected security regions (col 9, lines 52-59). 
Belani does not explicitly disclose a security table for similarly protected security 
regions. However, there must be some sort of database used to keep track of the 
similarly protected security regions disclosed by Belani. Further, Sandler discloses that 
data in a database management system are typically stored in the form of records, 
which are typically presented logically in the form of a table (p1 , paragraph 0002 and 
Fig 13A). 

In light of Sandler's disclosure, it would have been obvious to one of ordinary skill 
in the art to further modify Belani's system according to the limitation recited in claim 18. 
One of ordinary skill would have done so because of typical practice in the art-Sandier 
discloses that a table is typically used to organize data in a database (p1 , paragraph 
0002) and Belani's system must have some sort of security database to keep track of 
the similarly protected security regions, therefore typically the security data would be 
organized in a security table. 
Claim 19: 

Belani and Sandler do not explicitly disclose the security table includes at least 
one of the following fields: an Item Identity, an Item Ordpath, an Explicit Item, a Path 
ACL, and a Region ACL. However, Sandler discloses that data in a database 
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management system are typically stored in the form of records, which are typically 
presented logically in the form of a table and attributes as the columns, i.e. record fields 
(p1, paragraph 0002 and Fig 13A). The tables as seen in Fig 13A have record fields 
which reads on the fields recited in claim 19. 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made in light of common practice in the art of databases as 
disclosed by Sandler to further modify Belani's system according to the limitation recited 
in claim 1 9. One of ordinary skill would have been motivated to do so for the same 
reason given in claim 18. 
Claim 33: 

Belani does not explicitly disclose a security field includes at least one of an Item 
identity, an Ordpath, an Explicit Item, a Path ACL, and a Region ACL. However, 
Sandler discloses that data in a database management system are typically stored in 
the form of records, which are typically presented logically in the form of a table and 
attributes as the columns, i.e. record fields (p1, paragraph 0002 and Fig 13A). The 
tables as seen in Fig 13A have record fields which reads on the fields recited in claim 
33. 

It would have been obvious to one of ordinary skill in the art at the time the 
applicant's invention was made in light of common practice in the art of databases as 
disclosed by Sandler to further modify Belani's system according to the limitation recited 
in claim 33. One of ordinary skill would have been motivated to do so for the same 
reason given in claim 18. 
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Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ponnoreay Pich whose telephone number is 571-272- 
7962. The examiner can normally be reached on 8:00am-4:30pm Mon-Fri. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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